How to Meet the ISO 27001 Requirements Around Interested Parties (2024)

When embarking on your certification to ISO 27001 or your migration to the 2022 version of the Standard, one of the first steps (after from defining scope, setting objectives, and allocating roles and responsibilities) is to consider interested parties and their requirements. The Standard requires you to determine who your interested parties are, identify their requirements, establish which of these will be addressed through your information security management system (ISMS) and communicate any relevant information to them. With the ever-evolving nature of businesses, government laws and policies, industrial regulations, and cyber security, the requirements of interested parties can change quite significantly, and consideration of these changes is also a new requirement in ISO 27001:2022.

In this blog, we will outline the requirements around interested parties in ISO 27001 and offer advice and guidance on how you can meet them.

First and foremost you will need to understand who or what is considered an ‘interested party’. As per Clause 4.2 of ISO 27001, you are required to determine interested parties that are relevant to the information security management system. The context of your organisation will provide a framework for identifying the various individuals and entities that have a stake in the operations, performance, and outcomes of your organisation and are, therefore, interested parties.

As there are internal and external factors that shape your organisation’s strategies, there are also internal and external interested parties. Examples of interested parties internal to the organisation include executive members/leaders, employees, and legal and compliance teams. External interested parties can include customers, suppliers, competitors, partners, legal and regulatory bodies, insurance providers, auditors and assessors, media, landlords, etc.

Relational mapping will help you to visualise the interconnectedness of different parties, and this will require you to thoroughly consider new and existing relationships essential to the organisation, both internal and external. It is important to remember that you need to not only consider relationships that benefit your organisation, but will also need to consider competitors and influencers which impact business decisions and planning.

‍

‍

Once you have identified your interested parties, it is important to understand and manage their requirements and expectations, but to do so you will need to establish what those requirements and expectations include. Expectations can encompass a wide range of factors including quality, service, security, ethical behavior, and social responsibility. Requirements, on the other hand, are more specific and represent mandatory criteria, conditions, or standards that your organisation is expected to adhere to. By keeping this difference in mind, it will be much easier to determine who requires or expects what from your organisation.

Clause 4.2 of the Standard states that certified organisations need to determine the relevant requirements of the interested parties. Using the example of a customer as an interested party, their relevant expectations could include maintaining data confidentiality, high data and services availability, and secure data backup. Meanwhile, their requirements would include compliance with quality and industrial regulations, fulfillment of legal obligations, abiding by a contract or service-level agreement (SLA), etc.

It is important to note that each of your interested parties’ requirements can vary in nature. For example, while customers can be categorised as one interested party, government customers might have slightly different security requirements and may need to be catergorised as a separate interested party. Some sources to collect and understand such interested parties’ needs can be reviews, surveys, feedback, interviews, contracts and agreements, government legal and regulatory requirements, market searches, and industry benchmarks.

‍

Next, you will need to establish how these requirements and expectations will be addressed through the ISMS. Based on the requirements and expectations of interested parties, you should define specific, measurable, achievable, relevant, and time bound (S.M.A.R.T) objectives.

If we return to the previous example of a customer as your interested party, you would need to set a few security objectives which are aligned with your customers’ expectations and requirements, such as availability of service, data backup, data confidentiality, etc. Once the objectives have been set, the next step is to keep track of how to achieve those objectives. Developing metrics such as key performance indicators (KPIs) can help you set a baseline for measuring and monitoring these objectives. Once KPIs are defined, you will need to set targets to track progress, and benchmarks can be set to elevate target achievement such as data confidentiality > 95 %, data backup > 85%, availability > 95%, etc.

You will also need to define and allocate roles and responsibilities to individuals who will supervise the work involved in achieving the objectives. If we again use the example of a customer here, a customer success manager (CSM), IT Support Manager, data protection officer (DPO), etc., would all be appropriate personnel to perform this supervision.

Periodic reviews are an essential part of evaluating the ISMS’ success and, like with most processes, policies, and procedures, these must be conducted to assess the effectiveness of the objectives set to meet the needs and expectations of your interested parties. These reviews can be done internally or by a third party, and can be performed through direct contact via service review meetings, customer feedback, periodic checks via email, etc. The reviews will provide a clear understanding of what went well and what needs to be improved.

There is a new requirement in Clause 9.3 of ISO 27001:2022 that the management review include considerations of changes in needs and expectations of the interested parties relevant to the ISMS. This can be a result of risk assessment, incident management, or simply compliance and regulatory change. These activities will provide valuable evidence for capturing any changes to the requirements of the interested parties and are a source of continual improvement.

Your information security policies and any changes made to the ISMS will need to be communicated to your relevant interested parties. Clause 7.4 of the Standard states that you should determine the need for internal and external communications relevant to ISMS including what, when, with whom, and how to communicate. ‘What’ you need to communicate can include security incidents, supply chain or delivery changes, risks, data breaches, policy changes, moving to or opening a new location that affects the scope of ISMS, etc.

‘When’ to communicate is crucial, so it may be useful to prioritise the communication of information that will have a significant impact on your organisation if not communicated in time. This will mostly include security incidents or risk that impacts interested parties’ data or services.

Roles and responsibilities as well as the way information is classified within your organisation will help determine ‘who’ will communicate. For example, when handling more sensitive information such as data breaches, risk assessments, and security incidents, this can be conveyed by a DPO, human resources (HR), risk manager, line manager or chief information security officer (CISO).

Finally, you will need to determine ‘how’ you will communicate, which can vary from an email, call, in-person meeting, official letter, web announcement to a team meeting. Generally, internal communication will take place by email, management review meetings, sprint meetings, team meetings, official web communication channels, etc., while external communication tends to occur via email, phone call, official letter, fax, web announcement, etc. Regardless of the means, it is imperative to communicate effectively and in time.

By keeping the above steps in mind you can confidently understand and capture the needs of interested parties, and formulate ways to track, measure, and continually improve your management of their expectations and requirements.

Having helped over 400 organisations to achieve and retain ISO 27001 certification over the course of nearly 2 decades, URM is well placed to assist you in the development, implementation, and maintenance of a robust ISMS. Our ISO 27001 consultants are experts in their field and can support you through every stage of developing the ISMS, including conducting gap analysis of your current security practices against the requirements of ISO 27001 and identifying any areas for improvement. Using our proven risk assessment tool, Abriska 27001, we can also help you conduct your risk assessment, identifying potential threats to your information assets as well as the likelihood of them occurring. Once the risk assessment is complete, your dedicated ISO 27001 consultant will work with you to develop and implement policies, processes and ISMS infrastructure which are not only aligned with the requirements of the Standard, but also appropriate for your organisation’s unique style, culture, and needs.

Once your ISMS has been implemented, our consultants can conduct an ISO 27001 internal audit on your behalf to ensure it is functioning properly ahead of any external assessments. URM can offer your organisation a range of audit services from planning and implementing a full 3 year’ ISO 27001 audit programme, to conducting more specific audits against any aspect of the ISMS or specific controls.

Sadia is an Information Security Consultant at URM with extensive experience in providing ISO 27001 consultancy, implementation support, and conducting ISMS audits, as well as in facilitating Cyber Essentials assessment.

Read more

Read more

find OUT more on: